On 02/25/10 09:04 PM, Cam Bazz wrote:
> Hello,
>
> I have been hiding my glassfish behind apache successfully using
> mod_jk. I also successfully configured http-listener-2 with an SSL
> certificate. I also followed the documentation on
>
> http://wiki.glassfish.java.net/attach/AdministrationGuide/SJSASEEAG.pdf#114
> (page 114)
>
> and in my workers.properties
>
> worker.list=ajp13unsecure, ajp13secure
> worker.ajp13secure.type=ajp13
> worker.ajp13secure.host=localhost
> worker.ajp13secure.port=8009
> worker.ajp13unsecure.type=ajp13
> worker.ajp13unsecure.host=localhost
> worker.ajp13unsecure.port=8010
>
> and on httpd.conf
>
> JkExtractSSL On
> JkHTTPSIndicator HTTPS
> JkSESSIONIndicator SSL_SESSION_ID
> JkCIPHERIndicator SSL_CIPHER
> JkCERTSIndicator SSL_CLIENT_CERT
>
> however, when the http-listener-2 is configured as a JK listener,
> connection to port 443 will be interrupted. (as firefox says), where
> google chrome will say "Error 107 (net::ERR_SSL_PROTOCOL_ERROR):
> Unknown error."
>
> I have also looked with tcpdump to see what is going on and the server
> issues a FIN packet, thus finishing the connection.
>
> I am also running 3 virtual domains with apache
>
> <VirtualHost 1.1.1.1:80>
> ServerName www.mysite.com
> JkMount /* worker1
> </VirtualHost>
>
> <VirtualHost 1.1.1.1:443>
> ServerName www.mysite.com
> JkMount /* worker2
> </VirtualHost>
>
I *think* there is a problem with the current documentation, but I
will need to verify.
It is my understanding that with SSL-enabled Apache and JkExtractSSL
turned on, Apache will perform all the SSL validation and proxy the
request in the clear over mod_jk, along with all its SSL related
attributes (such as SSL session id, cipher, and client cert chain), to
indicate to the backend (GlassFish) that the original request (from
the client to Apache) came in over https (instead of plain http), so that
a call to ServletRequest#isSecure on the backend will return true.
I believe that with this configuration, it will be sufficient to
configure a single, non secure mod_jk connector on the GlassFish
backend.
But it also looks like your httpd.conf is misconfigured: In your
<virtualhost> sections, you reference "worker1" and "worker2",
but your workers are named "ajp13unsecure" and "ajp13secure",
respectively.
Jan
> and another virtual domain on another ip, to serve things like images.
>
> I have been debugging all night, and I decided to ask on the mailing list.
>
> any ideas / help / recomendation greatly appreciated.
>
> Best Regards.
> -C.B.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>